Verifone is investigating a breach that it has described as "a limited cyber intrusion" into its corporate network." It believes that "that due to our immediate response, the potential for misuse of information is limited."
KrebsOnSecurity has published an internal memo dated Jan. 23 sent to all Verifone staff and contractors. It says the payment solutions firm is currently investigating an IT control matter, and asks everyone to change their employee passwords within 24 hours. It also states that employees will no longer be able load new software onto their company desktop and laptop computers; that is, local admin privileges are being removed.
These two actions are typical responses to an actual or likely breach -- although many security professionals will be surprised that staff still had local admin status. The memo was sent by Steve Horan, Verifone's CIO, rather than CISO David Galas. At this time, the Krebs report is the sole source of information on the breach.
A Verifone spokesperson told Krebs, "In January 2017, Verifone's information security team saw evidence of a limited cyber intrusion into our corporate network. Our payment services network was not impacted. We immediately began work to determine the type of information targeted and executed appropriate measures in response. We believe today that due to our immediate response, the potential for misuse of information is limited." At that time he declined to give any further information.
However, a 'source' told Krebs that the internal memo was in response to warnings from Visa and Mastercard. Historically, many breaches are discovered not by organizations themselves, but by banks and financial institutions detecting suspect patterns in account usage. If this is what happened, and the 'limited incursion' is related to the Visa and Mastercard alerts, then the implication is that the breach was more extensive than Verifone is currently claiming.
However, Krebs' source (who seems to have deep inside knowledge of the breach) goes further, claiming that Mastercard and Visa suggested that "the intruders appeared to have been inside of Verifone's network since mid-2016." He also told Krebs "there is ample evidence the attackers used some of the same toolsets and infrastructure as the cybercrime gang that last year is thought to have hacked into Oracle's MICROS division."
If this is true, although it cannot currently be verified, then the finger points at the gang usually known as Carbanak or Anunak. In February 2015, Kaspersky Lab described this gang as a group of cybercriminals from Russia, Ukraine and other parts of Europe and China.
Given that the Verifone memo locks down endpoints and changes passwords, it seems likely that the initial intrusion has been traced to an employee device. Statistically, it would be a reasonable assumption that someone fell for a phishing attack and installed malware; but that is just another assumption at this point. However, if Krebs' source is correct, then the attackers had been inside Verifone for at least six months before this remedial action was taken.
Six months gives attackers ample time to perform lateral movement. This would be hindered by effective network segmentation within Verifone. It seems that this might be the case. The Verifone spokesperson described it as a limited incursion. Krebs' source only mentions one affected area of Verifone: "A customer support unit based in Clearwater, Fla. that provides comprehensive payment solutions specifically to gas and petrol stations throughout the United States - including, pay-at-the-pump credit card processing; physical cash registers inside the fuel station store; customer loyalty programs; and remote technical support."
This now seems to have been confirmed by Verifone. Following Krebs' initial report it issued an update to its original statement. "According to the forensic information to-date, the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time frame. We believe that no other merchants were targeted and the integrity of our networks and merchants' payment terminals remain secure and fully operational."
On the surface, it appears that Verifone has indeed experienced a breach, but the effects were limited and have been contained. Nevertheless, we will need to await further developments before this is independently confirmed. Six months remains a lengthy period to have attackers as advanced and experienced as Carbanak inside your networks; and it remains a possibility that they may have moved laterally to other parts of the Verifone network.